Author |
|
Jan-E
Joined: 09 Mar 2012 Posts: 1266 Location: Amsterdam, NL, EU
|
|
Back to top |
|
glsmith Moderator
Joined: 16 Oct 2007 Posts: 2268 Location: Sun Diego, USA
|
Posted: Mon 06 Oct '14 20:29 Post subject: |
|
|
May I ask what is the reason for running FIPS ... other than "because we can." Does it give any better encryption than OpenSSL without FIPS?
My understanding is that FIPS is a set security policy which may be required for any number of reasons. As far as the encryption end, it has a small set of elliptical curves it can use. However this policy also regulates how the OpenSSL FIPS source is obtained, built and installed onto any server. Just having FIPS does not automatically make you able to be FIPS verified.
https://www.openssl.org/docs/fips/UserGuide-2.0.pdf
https://www.openssl.org/docs/fips/SecurityPolicy-2.0.pdf |
|
Back to top |
|
Jan-E
Joined: 09 Mar 2012 Posts: 1266 Location: Amsterdam, NL, EU
|
Posted: Tue 07 Oct '14 16:48 Post subject: |
|
|
If you read the security policy, it is not hard to build a FIPS validated module for Windows. See the 2.0.8-version here:
http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp1747.pdf
In fact, the hardest part was unpacking openssl-fips-2.0.8.tar.gz. 7Zip does not do the job because that file contains symlinks. I used 'tar xvf fips-2.0.8.tar.gz', using Cygwin's tar.exe for that. After that, running (W2) ms\do_fips.bat or (W1) ms\do_fips.bat no-asm in a VCx prompt will give you the desired fipscanister.lib
Linking that module into OpenSSL is done by configuring OpenSSL with perl Configure VC-WIN32 fips (no-asm) or perl Configure VC-WIN64A fips (no-asm). Not hard at all if your are used to building OpenSSL on Windows.
If you follow the rules, this validation and certificate applies:
http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm#1747
http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140crt/FIPS140ConsolidatedCertList0018.pdf
Note: somebody that downloads my openssl-fips build cannot know for sure that I followed the rules, so he cannot claim FIPS validation. He will have to build openssl-fips for himself to be sure.
I will not claim certification either, but it is not a 'because we can' issue. The sites we build for our US customers might contain patient data, so HIPAA comes into play. HIPAA does not require FIPS validation. but requires a 'business associate' to implement a mechanism to encrypt electronic protected health information whenever deemed appropriate. See http://www.hipaa.com/2009/07/transmission-security-encryption-what-to-do-and-how-to-do-it/
From the same page:
Quote: | Rather, an addressable implementation specification means that a covered entity must use reasonable and appropriate measures to meet the standard. |
The easiest way to 'meet the standard' is to install and activate FIPS support in OpenSSL. |
|
Back to top |
|
Jan-E
Joined: 09 Mar 2012 Posts: 1266 Location: Amsterdam, NL, EU
|
|
Back to top |
|
glsmith Moderator
Joined: 16 Oct 2007 Posts: 2268 Location: Sun Diego, USA
|
Posted: Thu 16 Oct '14 0:30 Post subject: |
|
|
Jan-E wrote: | The easiest way to 'meet the standard' is to install and activate FIPS support in OpenSSL. |
One thing it does make perfectly clear;
Quote: | ii) “Valid encryption processes for data in motion are those that comply with the requirements of Federal Information Processing Standards (FIPS) 140-2. These include, as appropriate, standards described in NIST Special Publications |
It points to SP 800-52 which was revised in June 2014.
http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-52r1.pdf
Section 3.3.2 says it must be FIPS validated modules, which is only validated when the security policy is met in it's entirety, not partially.
Obviously we are treading into legal areas here best dealt with by lawyers. But if it were my company, I'd hire someone to follow the security policy to the letter thereby reducing my exposure to lawsuit. |
|
Back to top |
|
Jan-E
Joined: 09 Mar 2012 Posts: 1266 Location: Amsterdam, NL, EU
|
|
Back to top |
|
gman8321
Joined: 01 Dec 2014 Posts: 1 Location: US, Madison
|
Posted: Mon 01 Dec '14 19:14 Post subject: Error running FIPS module with Apache Lounge HTTPD build |
|
|
Jan-E. Appreciate you work on this. I'm testing your openssl-1.0.1j-fips-2.4.10-x64-vc11 module prior to attempting my own build. I receive the following errors:
httpd.exe: Syntax error on line 17 of path/conf/httpd.conf: Cannot load path/modules/mod_ssl_fips.so into server: The application has failed to start because its side-by-side configuration is incorrect. Please see the application event log or us .
Activation context generation failed for "path\modules\mod_ssl_fips.so". Dependent Assembly Microsoft.VC90.CRT,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="9.0.21022.8" could not be found. Please use sxstrace.exe for detailed diagnosis.
I copied openssl-1.0.1j-fips-2.4.10-x64-vc11\bin files to the Apache bin folder. Replaced the default mod_ssl.so with your mod_ssl.
Any thoughts on this? |
|
Back to top |
|
Jan-E
Joined: 09 Mar 2012 Posts: 1266 Location: Amsterdam, NL, EU
|
Posted: Tue 02 Dec '14 12:51 Post subject: |
|
|
Looking at the error message either your Apache or your mod_ssl_fips.so is VC9 X86. To check mod_ssl_fips.so open it for instance in Notepad++ and search for MSVC. There should be a reference to MSVCR110.dll there (and not to MSVCR90.dll) if you are using a VC11 Apache. |
|
Back to top |
|
Jan-E
Joined: 09 Mar 2012 Posts: 1266 Location: Amsterdam, NL, EU
|
Posted: Fri 20 Mar '15 8:04 Post subject: |
|
|
Updated to openssl-fips-1.0.1m- |
|
Back to top |
|
puertoblack2003
Joined: 31 Jul 2009 Posts: 121 Location: U.S
|
Posted: Wed 25 Mar '15 5:55 Post subject: |
|
|
thank you |
|
Back to top |
|
Jan-E
Joined: 09 Mar 2012 Posts: 1266 Location: Amsterdam, NL, EU
|
|
Back to top |
|
James Blond Moderator
Joined: 19 Jan 2006 Posts: 7374 Location: Germany, Next to Hamburg
|
|
Back to top |
|
Jan-E
Joined: 09 Mar 2012 Posts: 1266 Location: Amsterdam, NL, EU
|
Posted: Mon 20 Jul '15 17:24 Post subject: |
|
|
Your cipherlist has one nasty thing. Open your site in Chrome, click on the lock symbol, then on the Connection tab.
In Dutch it tells me:
Quote: | Je verbinding met mariobrandt.de is versleuteld met verouderde cryptografie |
I guess I do not have to translate that into German... |
|
Back to top |
|
James Blond Moderator
Joined: 19 Jan 2006 Posts: 7374 Location: Germany, Next to Hamburg
|
Posted: Wed 22 Jul '15 12:04 Post subject: |
|
|
It seems that chrome uses still the SHA1 which I tought I replaced ... I look into that. |
|
Back to top |
|
James Blond Moderator
Joined: 19 Jan 2006 Posts: 7374 Location: Germany, Next to Hamburg
|
Posted: Wed 22 Jul '15 12:20 Post subject: |
|
|
it might tells "old" and not modern, however it is 256 bit vs 128 bit.
I managed to get it working with 256 except Chrome
Code: |
SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:kEDH+AESGCM:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
|
|
|
Back to top |
|
James Blond Moderator
Joined: 19 Jan 2006 Posts: 7374 Location: Germany, Next to Hamburg
|
Posted: Mon 10 Aug '15 23:13 Post subject: |
|
|
Chrome might barf about a not modern config, hoever the encryption is not 256 in all cases. That is why I switched back to
Code: | SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:!LOW:!MD5:!aNULL:!eNULL:!3DES:!EXP:!PSK:!SRP:!DSS |
The SSL Test lab result on Cipher Strength went up again from 90 to a 100. |
|
Back to top |
|
Cy4n1d3
Joined: 22 Apr 2013 Posts: 17
|
Posted: Mon 14 Nov '16 22:56 Post subject: |
|
|
Hey Jan-E,
do you by chance have a compiled version of the needed Apache 2.4.23 files with OpenSSL FIPS?
Regards Chris |
|
Back to top |
|
Jan-E
Joined: 09 Mar 2012 Posts: 1266 Location: Amsterdam, NL, EU
|
|
Back to top |
|
Cy4n1d3
Joined: 22 Apr 2013 Posts: 17
|
Posted: Tue 15 Nov '16 13:57 Post subject: |
|
|
VC14 is perfect, thanks alot!
|
|
Back to top |
|